SANS ISC InfoSec Forums

Billy Hoffman, a security researcher at SPI Dynamics presented a new tool called Jikto at ShmooCon. The tool exploits Cross Site Scripting (XSS) vulnerabilities which tricks victim into running malicious code. The code is injected into the victim's browser where it runs silently. It either seeks more XSS vulnerable targets and reports back to the attacker or it can also report back to the bot controller and await further commands.

Since Javascript is OS independent, this tool will run well on browsers running on different OS platforms. With Cross Site Scripting flaws being one of the most common vulnerabilities reported these days, it is easy to understand the potential effects of a toolkit like this.

Although Billy did not release the tool to the public, the attack principles have been well understood amongst the security research community. Most researchers believe this proof of concept will very likely become real attacks shortly.